What happened
SolarWinds released security updates on February 24, 2026 to fix four critical remote code execution (RCE) vulnerabilities in its Serv-U managed file transfer software version 15.5, each rated 9.1 on the CVSS severity scale. These flaws could allow an attacker with administrative privileges to execute arbitrary code or gain elevated access on affected servers.
Who is affected
Organizations running SolarWinds Serv-U 15.5 environments are impacted; all users of that version on Windows or Linux should assess exposure and upgrade to Serv-U 15.5.4 as soon as possible.
Why CISOs should care
Though exploitation requires high privileges, successful abuse of these flaws could result in full system compromise, including root-level code execution on file transfer servers that often handle sensitive data. Past Serv-U vulnerabilities have been targeted in attacks, reinforcing the need for rapid remediation.
3 practical actions
- Patch immediately: Verify Serv-U instances are updated to version 15.5.4 or later and apply vendor-provided patches without delay.
- Harden access controls: Limit administrative privileges and enforce least privilege for accounts interacting with Serv-U systems.
- Monitor and audit: Enhance logging and threat detection around file transfer servers and review for unusual activity indicating credential misuse or escalation attempts.